Masking at the database-native level by using Java UDFs

Edit online

The IBM® Optim Data Privacy for z/OS® User-Defined Functions (UDFs) provide database-native data masking capabilities that you can deploy directly into PostgreSQL databases or IBM Db2® for Linux®, UNIX, and Windows databases.

You can use the IBM Optim Data Privacy for z/OS UDFs to mask sensitive data directly within SQL queries without extracting data from the database. You can call these functions on specific table columns that contain sensitive data to apply masking operations. Use the UDFs to:
  • Provide database-level protection.
  • Mask sensitive data directly in SQL queries without extracting data from the database, which reduces security risks.
  • Work with existing SQL workflows. You can call the UDF in SELECT statements and other SQL operations.
  • Ensure that masking happens in-database to eliminate data transfer overhead for masking operations.
  • Choose from standard data formats and different masking techniques to meet your data protection requirements.

Data formats and processors

You can use the UDFs to mask column values that have standard data formats such as UsaSocialSecurityNumber and CreditCard. To retrieve the complete list of available formats, use the following API endpoint:
GET v1/masking/categories

The UDFs support multiple masking processors that determine how data is masked. For detailed descriptions of each masking method, see Masking method descriptions (data processor types).

Supported databases

You can deploy the IBM Optim Data Privacy for z/OS UDFs to the following database platforms:
  • IBM Db2 for Linux, UNIX, and Windows
  • PostgreSQL

UDF function

The udfBasicMask function provides simple masking with format and processor type parameters. This function accepts the following parameters:

sourceVal
The column value to be masked (VARCHAR 256)
format
The data format type (VARCHAR 128)
processor
The masking processor type (VARCHAR 128)
config
Optional configuration parameters (VARCHAR 1024)
metadata
Optional metadata (VARCHAR 1024)
iv
Optional initialization vector (VARCHAR 128)
key
Optional encryption key (VARCHAR 128)

Limitations

The IBM Optim Data Privacy for z/OS UDFs do not integrate with the IBM Optim user interface or services. You must manage UDF deployment and usage through database commands.

Performance considerations

The first time you invoke a UDF, it takes longer than subsequent invocations. The UDF must be initialized and the masking formats must be loaded.